Implementation and Veriﬁcation of TLS using the Scyther Tool

(1)

Implementation and Verification of TLS

using the Scyther Tool

Wafa Badreddine

wafa.badreddine@lip6.fr

(2)

Outline

•

TLS Protocol: Overview

•

New Scyther Notions

•

Asymmetric Crypto with Scyther Tool

(3)

TLS Protocol:

Overview

(4)

TLS Protocol: Overview

•

SSL (Secure Sockets Layer) is the predecessor of TLS (Transport Layer Security).

•

SSL and TLS are two cryptographic protocols that enable authentication and encryption of data that travels between servers, machines and networked applications.

•

The purpose of the TLS protocol is to secure communications between two applications, usually a web server and a browser.

This protocol is widely used and compatible with most web browsers.

(5)

•

At the network architecture level, the security protocol is inserted between the TCP / IP layer (low level) and the high-level HTTP

protocol, for which it is primarily intended.

•

SSL comes out in 1995 in its version SSL 2.0 (the SSL 1.0 never being released). But after discovering several vulnerabilities in

1996, version 2.0 is quickly replaced by SSL 3.0.

•

Based on SSL 3.0, TLS is introduced in 1999 as the new version of SSL.

(6)

•

^SSL/TLS

•

Keeping an internet connection secure

•

Safe guarding any sensitive data that is being sent between two systems

•

Preventing attackers from reading and modifying any information transferred

•

The two systems can be a server and a client or server and server

•

For example: a shopping web site (server) and a browser (client)

(7)

So what is the difference between SSL and TLS?

•

The diﬀerences are minimal and the term SSL remains widely used.

•

But in your server configuration, diﬀerences can be seen in

vulnerabilities, obsolete cipher suites and browser security warnings.

•

On your servers, only TLS protocols must be enabled.

(8)

How does TLS works ?

•

TLS consists of several sub-protocols:

•

TLS Record: provides secure connections with encryption

methods such as DES (Data Encryption Standard). It can also be used without encryption.

•

TLS Handshake: allows the server and the client to

authenticate and negotiate an encryption algorithm and encryption keys before data exchange.

•

^…

(9)

How does TLS works ?

•

The server:

•

Has a pair of keys (public/secret)

•

Has a Certificate

•

^{The client}

•

May have a pair of keys (public/secret)

•

May have a Certificate

•

The client must authenticate the server

•

The server may authenticate the client (optionally)

(10)

Handshake protocol

•

It allows the client and the server to

•

mutually authenticate each other,

•

to negotiate encryption algorithms,

•

to negotiate MAC (Message Authentication Code) algorithms

•

to negotiate the symmetric keys that will be used for encryption.

(11)

Description

1

(12)

1. C->S

•

The client sends a HELLO_CLIENT message, clearly, to the server. This message contains:

•

Version - The highest version of SSL that the client can use.

•

Random - A 32-bit timestamp and a 28-byte random value generated by the client. The number obtained will serve the signature of the messages.

•

Session ID - A number, which identifies the connection. A zero signifies the customer's desire to establish a new connection on a new session.

Another number means the desire to change the settings or to create a new connection on the existing session.

•

CipherSuite - A list, in descending order of preference, of algorithms that the client supports. These are key exchange and encryption algorithms.

•

Compression Method - lists, in descending order of preference, compression algorithms supported by the client.

(13)

2

(14)

2. S->C

•

The server responds to the client: HELLO_SERVER. The message contains:

•

Version - The highest version of SSL that the client can use.

•

Random - A 32-bit timestamp and a 28-byte random value generated by the client.

•

Session ID - The ID of the session that starts.

•

CipherSuite - The sequence of algorithms chosen for the session. The server selects the first suite it knows in the list sent by the client.

•

Compression Method - The compression method that will be used

(15)

3

(16)

•

^{3. S->C}

•

The server sends to the client:

•

his own certificate

•

data signed by his secret key,

•

request for its Certificate "CertificateRequest",

•

a "ServerHelloDone" telling the client that it is his turn to continue the negotiation

•

The client uses the information received from the server to authenticate it (verification of the certificate, signatures, etc.)

(17)

Description

4

(18)

•

^{4. C->S}

•

The client sends his certificate "Certificate" to the server,

•

creates a preliminary secret code for the "ClientKeyExchange"

session

•

encrypts it with the public key of the server (obtained from the certificate of the server),

•

sends the encrypted predefined secret code to the server

(19)

•

The client must then sign another portion of "CertificateVerify"

data limited to this negotiation and known by the client and the server

•

This portion can be the signature of the hash of all messages changed formerly during the SSL handshake

•

The server decrypts the portion using the client's public key and compares the hash results

•

The server also authenticates the client

•

If the client is successfully authenticated, the server uses its private key to decrypt the preliminary secret code

(20)

•

The client and the server both use the primary secret code to generate a session key that is a symmetric key used to encrypt and decrypt the confidential exchanged information.

(21)

Description

7

(22)

•

^{7. C->S}

•

The client sends the CLIENT_FINISHED message to the server.

This message is encrypted and signed using the keys.

•

It then sends separately an (encrypted) message indicating that the client-side negotiation is finished "Finished".

•

This means that from now on, the client communicates in this way.

(23)

8

(24)

•

^8.S->C

•

The server proceeds in the same way. These messages are handled by the Change Cipher Spec sub-protocol (it is all that defines this protocol).

•

Both use the session key to encrypt anything that is confidential.

(25)

New Scyther Notions

(26)

New Scyther Notions

•

^const:

•

In many applications global constants are used. These include, for example, string constants, …

•

^Example:

•

usertype String;

•

const HelloWorld: String;

•

^Agent:

•

Type used to define an agent.

•

(27)

•

^macro:

•

It is possible to define macros, i. e., abbreviations for particular term.

•

For a protocol that contains complex messages or repeating elements, macros can be used to simplify the protocol specification.

•

macros have global scope. This allows for global abbreviations of protocol messages.

•

The syntax used to define these abbreviations is the following:

macro MyShortCut = LargeTerm;

•

Example: macro messageG=H(X,Y, Rand), {m1}k(X,Y);

(28)

Asymmetric Crypto

with Scyther Tool

(29)

Asymmetric Crypto with Scyther Tool

•

By default, in Scyther:

•

Each actor has a public key & a secret key

•

sk(X): denotes the private key of X

•

pk(X): denotes the corresponding public key

•

{ni}pk(I) : This term can only be decrypted by an agent who knows the secret key sk(I).

•

Each key (public or secret) is assumed: certified

(30)

• Asymmetric keys are typically modeled as two functions:

• one function that maps the agents to their public keys

• another function that maps agents to their secret keys.

• ^Example:

• To model other asymmetric keys, we first define the two functions, which are named pk2 for the public key function, and sk2 for the secret key function.

• const pk2: Function;

• secret sk2: Function;

• const CA: Agent;

• macro CertX2= {H(X2,pkX2, otherInfo)}sk(CA);

• We also declare that these functions represent asymmetric key pairs

• inversekeys (pk2,sk2);

Modeling more than one asymmetric key pair

(31)

Bibliography

•

http://ics.upjs.sk/~jirasek/krp/scyther-manual.pdf

•

https://www.frameip.com/ssl-tls/#4-8211les-protocoles-ssl-et-tls